FAQ
What type of network traffic is affected by the Adobe Acrobat Sign TLS encryption rules?
All Traffic:
INBOUND
Inbound traffic refers to connections made from a client to our servers. We will stop supporting unencrypted connections to our APIs -- that is, requests that use " http :" rather than "https:".
Once we've made this change, customer and partner applications will fail on attempts to establish unencrypted connections. The error behavior will be application-specific.
Error messages:
The error will be specific to the application but could be reported as a network connection error.
To correct this, customers must change their applications to specify "https:" URLs. Their clients must also support TLSv1.2. (As of April 9, that is the only version of SSL/TLS that our servers accept.)
OUTBOUND
Outbound traffic refers to connections made from our servers back to customer-specified servers. There are two categories:
• Upload callbacks for document uploads (described here for our REST API, but also applies to the legacy SOAP API)
• Status callbacks to notify the customer of a change in agreement status (described here for our REST API, but also applies to the legacy SOAP API)
For both categories of callbacks, we will stop supporting:
a. Unencrypted connections (using " http :" rather than "https:" URLs)
b. Connections to servers that do not support TLSv1.2 (in other words, TLSv1.0 and TLSv1.1 will no longer be supported)
c. Connections to servers that have invalid certificates. This includes certificates that are self-signed or expired, as well as cases in which a URL uses an IP address rather than a hostname.
Error messages:
• Upload callback: The upload should return an API error.
• Status callbacks:
To correct this:
• In partner/customer Sign applications, the URLs specified for callbacks must use "https:" rather than " http :". The URLs must also use a hostname rather than an IP address.
• The servers referenced by these URLs must support TLSv1.2 and have valid certificates.
How do I know if my connection to Acrobat Sign is secure?
We are generating reports to identify customers whose existing inbound or outbound traffic is insecure. Those customers will be notified directly.
Customers who wish to test that their server is compliant can use a variety of free or commercial tools, including the Qualys SSLLabs Server Test, to ensure that their server accepts TLSv1.2 and has a valid certificate.
Is there anything else to know about the encryption standards?
Status callbacks
For status callbacks, in addition to supporting TLS 1.2, the customer's server must support one of the cipher suites below:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384